Reverse Engineering Stack Exchange is a question and answer site for researchers and developers who explore the principles of a system through analysis of its structure, function, and operation. It only takes a minute to sign up.

From what I understand about .NET code, it is first compiled to Microsoft Common Intermediate Language (MSIL) before being translated to machine code at runtime.

Whereas C++ code is compiled directly to machine code.

So reverse engineering .NET DLLs is a lot easier than reverse engineering C++ DLL because of the rich metadata that MSIL has. However, if I obfuscate my .NET code with the best possible .NET obfuscation tools, can I get the kind of decompilation protection that C++ DLLs offer? Why?

1 Answer
1

C++ code is most likely translated to assembly and then translated to machine code

.net code is compiled to Bytecode which is executed in a virtual environment

Wikipedia provides a good overview of current .net obfuscators and the techniques they apply: Wikipedia: List of obfuscators for .NET All of these techniques offer a huge increase in secrecy, but can not hope to reach the security offered by packed / obfuscated binaries (see recent malware packing / obfuscation)

On the other hand, 'standard' C++ libraries are not obfuscated, i.e. they don't have a decompilation protection. Most problems emerging while reverse engineering them originate from compiler optimization techniques.

.Net binaries contains semantic information. Machine code has no concept for 'strings' or variable types other than x-byte-sized fields. That being said, the obfuscation offered by the frameworks on the wikipedia page should be more than sufficient for most scenarios.

Do you see that there are decompilers that can deobfuscate the tools you mention? such as de4dot
– GravitonSep 2 '16 at 23:32

While some specific obfuscations may be 'undone' by searching for traces the original obfuscater leaves behind, the actual recovered code, nevertheless should be only slightly better understandable than decompiled C++ code. Thanks for pointing that out
– NordwaldSep 5 '16 at 5:36

Nordwald, I've read your answers a few times during past few days, and I am not sure what is your point. C++ compiles to machine code whereas .Net compiles to IL language. Even the most obfuscated IL code is more readable than machine code, is it not so?
– GravitonSep 7 '16 at 7:21

Not necessarily. While IL code does contain some meta-information, obfuscations like spaghetti code DO apply here. Anyways, obfuscated machine code will always be harder to reverse than obfuscated IL. Someone familiar with assembler instructions and compiler optimization might rather analyze the compiled binary than obfuscated IL.
– NordwaldSep 7 '16 at 9:33

If you reverse X86 asm everyday you might find it easier than obfuscated MSIL. MSIL is probably simpler to read, but less people are experienced in it.
– rollsNov 30 '16 at 23:32